Created
March 3, 2014 15:47
-
-
Save tiran/9327753 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3.3 | |
"""Test / demo script for Apple OpenSSL Verification Surprises (CVE-2014-2234) | |
https://hynek.me/articles/apple-openssl-verification-surprises/ | |
Christian Heimes <christian@python.org> | |
""" | |
import os | |
import platform | |
import socket | |
import ssl | |
import sys | |
FILE = os.path.abspath(__file__) | |
HERE = os.path.dirname(FILE) | |
APPLE = ("apple.com", 443) | |
CACERT = ("www.cacert.org", 443) | |
def get_server_certificate(addr, cafile=None, capath=None): | |
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3) | |
ctx.verify_mode = ssl.CERT_REQUIRED | |
if cafile is None and capath is None: | |
ctx.set_default_verify_paths() | |
else: | |
ctx.load_verify_locations(cafile=cafile, capath=capath) | |
with socket.create_connection(addr) as conn: | |
with ctx.wrap_socket(conn) as sconn: | |
return sconn.getpeercert() | |
def tea_bug(): | |
print("Check '{}:{}' with default verify paths".format(*APPLE)) | |
try: | |
get_server_certificate(APPLE) | |
except ssl.SSLError as e: | |
print(" FAIL -- no default certs available?") | |
print(" {}".format(e)) | |
else: | |
print(" PASS") | |
print("Check '{}:{}' with CACert as only root CA".format(*CACERT)) | |
try: | |
get_server_certificate(CACERT, FILE, HERE) | |
except ssl.SSLError as e: | |
print(" FAIL") | |
print(" {}".format(e)) | |
else: | |
print(" PASS") | |
print("Check '{}:{}' with CACert as only root CA".format(*APPLE)) | |
try: | |
get_server_certificate(APPLE, FILE, HERE) | |
except ssl.SSLError as e: | |
print(" PASS -- check failure expected") | |
print(" {}".format(e)) | |
else: | |
print(" BUG -- check should have failed") | |
print(" Your system is affected by the TEA surprise bug") | |
sys.exit(1) | |
if __name__ == "__main__": | |
version = ".".join(str(v) for v in sys.version_info[:3]) | |
print("Python {} ({})".format(version, sys.executable)) | |
print(ssl.OPENSSL_VERSION) | |
print(platform.platform()) | |
print("") | |
tea_bug() | |
CACERT = """http://www.cacert.org/certs/root.crt | |
-----BEGIN CERTIFICATE----- | |
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 | |
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB | |
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA | |
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO | |
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi | |
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ | |
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC | |
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ | |
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 | |
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y | |
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 | |
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc | |
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k | |
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q | |
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ | |
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU | |
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 | |
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w | |
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY | |
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe | |
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 | |
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy | |
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw | |
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 | |
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl | |
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC | |
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg | |
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB | |
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc | |
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg | |
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c | |
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl | |
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY | |
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T | |
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF | |
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum | |
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk | |
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW | |
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD | |
-----END CERTIFICATE----- | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment